Introduction to the new Control Tower controls

AWS Control Tower, a powerful management service for multi-account AWS environments, has recently launched 28 new proactive controls, further strengthening its governance capabilities. These controls empower organizations to enforce compliance and security measures at scale by preemptively blocking the provisioning of non-compliant resources across various services, including AWS OpenSearch Service, AWS Auto Scaling, Amazon SageMaker, Amazon API Gateway, and Amazon RDS. With this significant enhancement, AWS Control Tower provides an invaluable solution for meeting control objectives and ensuring the integrity of cloud environments.

Key advantages from AWS Control Tower

Compliance and Security at Scale The introduction of proactive controls in AWS Control Tower enables organizations to enforce compliance and security measures across their multi-account AWS environments. By leveraging AWS CloudFormation Hooks, Control Tower identifies and blocks non-compliant resources before they are provisioned. This proactive approach significantly reduces the risk of potential security breaches and non-compliance issues, allowing businesses to maintain a robust and secure infrastructure.

Meeting Control Objectives AWS Control Tower’s proactive controls cover a wide range of control objectives, such as data encryption at rest and limiting network access. These controls provide organizations with the necessary tools to ensure their cloud environments adhere to specific security and governance policies. By blocking the provisioning of resources that violate these control objectives, AWS Control Tower mitigates potential risks and helps maintain a strong security posture.

Complementing Preventive and Detective Controls The new proactive controls seamlessly integrate with AWS Control Tower’s existing preventive and detective control capabilities. While preventive controls aim to eliminate risks before they occur and detective controls focus on identifying risks after they have happened, proactive controls take an active stance in preventing non-compliant resources from being provisioned. By combining these three control types, AWS Control Tower offers a comprehensive and robust governance framework that effectively mitigates risks throughout the entire lifecycle of AWS resources.

Global Availability AWS Control Tower’s new proactive controls are available in all AWS Regions where Control Tower is supported. This global availability ensures that organizations worldwide can leverage the enhanced governance capabilities offered by AWS Control Tower, regardless of their geographical location. This accessibility empowers businesses operating in various regions to maintain consistent compliance and security standards across their AWS environments, regardless of regional differences.

What are the key new proactive controls

The 28 new proactive controls introduced in AWS Control Tower encompass a wide range of compliance and security measures, empowering organizations to maintain a robust and secure cloud environment. Here are three examples of the new proactive controls we think are worth noticing:

  1. Data Encryption at Rest: One of the proactive controls focuses on data encryption at rest, a critical aspect of maintaining data confidentiality and integrity. This control ensures that resources provisioned through AWS Control Tower, such as AWS OpenSearch Service, Amazon RDS (Relational Database Service), and Amazon S3 (Simple Storage Service), enforce encryption measures to protect sensitive information. By blocking the provisioning of non-compliant resources lacking encryption at rest, AWS Control Tower helps organizations adhere to data security best practices.
  2. Network Access Control: Another proactive control helps organizations maintain control over their network access policies. This control can be applied to services such as Amazon API Gateway, AWS Elastic Load Balancing, and AWS App Mesh, among others. By implementing network access controls, AWS Control Tower ensures that only authorized network traffic is permitted, preventing potential security vulnerabilities and unauthorized access attempts. This proactive measure contributes to the overall security posture of the organization’s cloud infrastructure.
  3. Resource Usage Limits: AWS Control Tower’s proactive controls also enable organizations to establish resource usage limits, promoting efficient resource management and cost optimization. This control can be utilized for services like AWS Auto Scaling, which automatically adjusts the capacity of resources based on workload demand. By setting limits on resource usage, organizations can prevent excessive consumption, unexpected costs, and potential resource depletion. AWS Control Tower’s proactive control ensures compliance with predefined limits, allowing businesses to maintain cost-effective and optimized resource utilization.

These examples demonstrate the breadth of proactive controls available in AWS Control Tower, addressing crucial aspects of compliance, security, and resource management. By leveraging these controls, organizations can confidently govern their multi-account AWS environments and ensure the highest standards of security and compliance.

Conclusion on the Control Tower improvements

The introduction of 28 new proactive controls in AWS Control Tower marks a significant advancement in governance and security for multi-account AWS environments. These controls enable organizations to enforce compliance measures, meet control objectives, and prevent non-compliant resource provisioning at scale. By combining proactive controls with existing preventive and detective controls, AWS Control Tower offers a comprehensive governance solution that significantly enhances security and reduces risks. With its global availability, businesses worldwide can now benefit from the strengthened governance capabilities provided by AWS Control Tower.

How can KeyCore help?

As Denmark’s leading AWS partner, KeyCore is ready to assist our customers in implementing AWS Control Tower to ensure the optimal utilization of your AWS infrastructure in all aspects. KeyCore’s implementation of Landing Zones and AWS Control Tower follows AWS best practices, and we ensure a solution for managing and controlling your AWS accounts that aligns with your business requirements.

Scroll to Top